Nutrify.AI · Privacy Policy

Privacy Policy for Nutrify.AI

EffectiveMay 1, 2026

Last updatedMay 1, 2026

Nutrify.AI logs only what you tell it: meals, workouts, sleep, labs, weight, journal entries. A bounded slice of that goes to Google Gemini or Anthropic Claude only when you ask the AI for help. We never use your data to train third-party models. Delete your account from inside the app and everything is gone within minutes.

§1

Plain-language summary

Nutrify.AI is a personal nutrition, exercise, sleep, and lab-data assistant. We collect what you tell us and what you log, store it in your account, and send a bounded slice to third-party AI providers when you ask the AI for help. We do not sell your data and do not use it to train third-party models. You can delete everything from inside the app at any time.

§2

What we collect

We do NOT collect: precise location, contacts, browsing history outside the app, microphone audio (speech-to-text converts voice to text on-device or via Apple SpeechFramework before any text leaves your device), Apple HealthKit data (not yet integrated), social-graph data.

Category	Examples	Source
Account identifiers	Email, Apple/Google sign-in subject ID, Supabase user ID	You, when you sign up
Profile	Name, age, sex, height, weight, goals, dietary preferences, activity level	You, during onboarding & in Settings
Health logs	Meals (text + photos), workouts (sets, reps, weight, RPE, duration, extras), sleep (duration, quality, factors), supplements, body weight history	You, in the app
Lab results	PDF/image uploads of blood work + structured analyte values extracted by AI OCR	You, when you upload
Personal Notes / Journal	Free-form text, biomarkers, symptoms, mood entries you type into the Journal	You
Subscription state	Active / inactive Pro tier, RevenueCat anonymous user ID	RevenueCat (our payments processor)
Diagnostics	Crash logs, error stack traces (no PII)	Sentry
Local-only signals	Streak counts, app preferences, cached AI responses	On-device only (SharedPreferences)

§3

How we use your data

We do NOT use your data for: advertising, behavioral profiling outside the app, model training (third-party or our own), sale to data brokers.

Purpose	Lawful basis (GDPR)	Data used
Provide the core service — log, chart, summarize your health data	Contract performance	All health logs, profile
Generate personalized AI recommendations (chat, daily actions, meal plans, sleep insights, supplement advice, workout plans, lab summaries)	Contract performance	A bounded user-context slice + your prompt; sent to Gemini (Google) and, on quota failover, Anthropic Claude
Extract structured analyte values from lab PDFs/images	Contract performance	Uploaded file; sent to Gemini
Bill subscriptions	Contract performance	Apple/Google receipt (handled by Apple StoreKit + RevenueCat)
Detect, fix, and prevent crashes	Legitimate interest	Stack traces, device model, OS version
Comply with App Store, GDPR, CCPA, and applicable consumer-protection law	Legal obligation	Whatever the law requires

§4

Third-party processors

We share data only with the processors strictly required to operate the app, each under a written data-processing agreement.

Processor	Role	Data sent
Supabase Inc.	Authentication, database, file storage (US)	Account + health data + lab files
Google LLC (Gemini API)	LLM inference, embeddings, OCR (US)	Per-request user-context slice + prompt
Anthropic, PBC (Claude API)	LLM inference fallback when Gemini is rate-limited (US)	Same per-request slice as Gemini
Apple Inc.	App Store sign-in, push notifications, StoreKit	Apple-managed identifiers
Google LLC (Sign-in with Google)	OAuth sign-in (US)	Google account ID, email
RevenueCat Inc.	Subscription management abstraction (US)	Anonymous user ID, Apple/Google receipt
Functional Software, Inc. (Sentry)	Crash + error reporting (US)	Stack traces, device model, app version
DevX Group LLC	Operator (us, US)	All of the above, scoped to your account

§5

Where your data is stored

Primary storage is Supabase US-East. Processing for AI inference happens on the AI vendor’s infrastructure (Google US, Anthropic US). Crash diagnostics live on Sentry US. By using Nutrify.AI you consent to international transfer of your data, including, where applicable, transfer outside the European Economic Area, the United Kingdom, or other jurisdictions, under the EU Standard Contractual Clauses or equivalent legal mechanism.

§6

How long we keep your data

Data	Retention
Account + all health logs + journal + lab files	Until you delete your account (hard-delete with 14-day grace window)
AI inference logs at vendors	Per vendor terms (Google ≤ 24h abuse-monitoring; Anthropic ≤ 30d enterprise; neither uses your data to train models)
Backups	Supabase point-in-time recovery up to 7 days
Crash diagnostics	90 days at Sentry, then auto-deleted
Subscription receipts	7 years (tax/audit obligation)

§7

Your rights

Regardless of jurisdiction, you can:

ExportSettings → Account → "Export My Data" (CSV bundle of every table; planned for build 24)
CorrectEdit any log directly in the app; the underlying row updates immediately
DeleteSettings → Account → "Delete Account" — hard-deletes your row in auth.users and cascade-deletes every child table within minutes
Object / restrict / portabilityEmail privacy@devxgroup.io
Opt out of saleWe do not sell. There is nothing to opt out of.
Children's dataNutrify.AI is not directed to children under 16. We do not knowingly collect data from anyone under 16.

If you live in the EEA, UK, or Switzerland, you may also lodge a complaint with your national data-protection authority.

§8

Security

In transit: TLS 1.2+ on every API call. Authentication: Supabase Auth + Apple/Google OAuth + Sign-in-with-Apple. Authorization: Postgres row-level security — every read/write is scoped to your auth.uid(); enforced in the database, not the application. Storage: Apple-managed iCloud-encrypted on device; Supabase-managed AES-256 encryption at rest. API secrets: never embedded in the app binary; all AI keys live server-side in Supabase Edge Function environment variables.

We are a small team. We will not promise SOC 2 today; we will tell you the truth: we follow the practices SOC 2 demands (least-privilege access, encrypted at rest and in transit, audit logs, password rotation, deny-by-default RLS) but we are not externally audited yet.

§9

Health-data disclaimer

Nutrify.AI is NOT a medical device. The advice, summaries, and recommendations the app produces are general wellness information, not medical diagnosis or treatment. Always consult a licensed clinician before changing your diet, exercise, supplementation, or medication.

§10

Children and parental control

The app is rated 17+ on the App Store given the unrestricted scope of AI conversations on health topics. We do not market to children and do not collect data from anyone under 16.

§11

Changes to this policy

If we materially change how we collect or use data, we will (a) update this page, (b) bump the "Last updated" date, and (c) on your next app launch, surface a non-dismissable banner explaining the change before you can continue. Non-material clarifications update silently.

§12

Contact

Privacy questions: privacy@devxgroup.io — typical response within 5 business days.

DevX Group LLC, San Diego, California, USA